PRIVACY POLICY OF ARROWS advokátní kancelář, s.r.o.


This Privacy Policy (hereinafter referred to as the “Policy”) informs you how ARROWS advokátní kancelář, s.r.o., with the registered office: Plzeňská 3350/18, 150 00 Praha, Company Identification No. 067 17 586, incorporated in the Companies Register kept by the Municipal Court in Prague, file No. C 287750 (hereinafter referred to as “ARROWS” or the “Company”), obtains, keeps, and processes your personal data in connection with your client or other relationship to the Company.

1. General Provisions

The aim of this Policy, in compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter referred to as “GDPR”), is to provide the information what personal data the Company, as a personal data controller, processes about natural persons when providing its services and for what purpose and for how long the Company processes such personal data in compliance with the applicable legislation, whom and why the Company may disclose such data; the aim of this Policy is to inform what rights the natural persons have in connection with the processing of their personal data and how such rights may be applied.

This Policy concerns the processing of personal data of our clients, i.e. you if you are a natural person, and/or of your employees or members of bodies if you are a legal person, or of visitors of the ARROWS website, always within the scope of personal data corresponding to your position towards ARROWS. All the services we provide are designated for you as our client who acts within his/her business or another enterprising activity and/or within employment performance for his/her employer who is our client (hereinafter referred to as the “Client” or “You”).

This Policy is effective as of 25 May 2018 and is issued in compliance with GDPR to ensure the information obligation of the Company as a controller pursuant to Article 13 of GDPR.

2. Personal Data Controller

A controller of your personal data is the Company whereas the correct contact data is available at

3. Data Protection Officer

The Company is not obliged to appoint a Data Protection Officer. A Data Protection Officer has not been appointed in the Company.

You may contact ARROWS as a personal data controller directly at

ARROWS advokátní kancelář, s.r.o.

V Jámě 699/1

110 00 Praha

Phone No.: +420 910 058 058


4. Categories of Personal Data Processed by ARROWS

Personal data is any information relating to a natural person, You, based on which the Company is able to identify You. In connection with the provision of services the Company may process the following categories of personal data.

4.1 General Personal Identification Data

It is data which is or might be, in certain cases, necessary to conclude a contract with You; this includes especially the following personal data:

  • Academic degree;
  • Name and surname;
  • Date of birth;
  • Residence / registered office;
  • Your job position (in case You order our services/goods as a company representative);
  • Your position as a body of a company which is our Client;
  • Company Identification No., Tax Identification No.;
  • Payment data; and
  • Signature.

4.2 Contact Data

It is the following personal data:

  • Name and surname;
  • E-mail;
  • Phone No.; and
  • Postal address.

4.3 Payment Data relating to the Service Provided

It is the following personal data:

  • Bank account number;
  • Information concerning the payments made;
  • Tax documents.

4.4 Personal Data Processed in connection with the Provision of Legal Services

It is data which is necessary for the provision of legal services whereas it may include a wide range of personal data You disclose to us to protect Your legal interests; this may include especially the following personal data:

  • Name and surname;
  • Personal data relating to the Client´s identity cards (passport, ID card, driving licence, etc.) whereas the ID card number, authority issuing the ID card and ID card validity are processed;
  • Date of birth;
  • Birth certificate No.;
  • Maiden name;
  • Data concerning health;
  • Income amount;
  • Family relations;
  • Your position as a body of a company which is our Client;

4.5 Records on E-mail and Written Communication

It is mainly personal data included in the e-mail and written communication with the Client.

5. Purpose, Period and Legal Reason of Personal Data Processing

5.1 Processing due to Performance of a Contract, Meeting of Statutory Obligations and due to Legitimate Interests of the Company

5.1.1 Personal Data Processing when Meeting Contractual Obligations

The Company needs to know and process your personal data to be able to provide You with its services. We process your personal data especially to conclude and perform an Agreement for Provision of Legal Services, which is concluded between the Client and the Company, whereas the legal title of processing is performance of such an Agreement. For that purpose, the personal data within the scope of General Personal Identification Data, as defined in Article 4.1 hereof, is processed.

We obtain such processed personal data from You directly upon the conclusion of an Agreement for Provision of Legal Services as well as before the conclusion of such an Agreement during the negotiations on the content of that Agreement and also during the provision of legal services.

The Company processes such personal data only for the term of a contractual relation between the Client and the Company and for a period of five years after the provision of legal services between You and the Company is terminated, eventually for a period stipulated for the Company by legal regulations.

5.1.2 Personal Data Processing when Meeting Statutory Obligations

When providing the services the Company is obliged to meet the obligations arising from the following legal regulations: Act No. 563/1991 Coll., on Accounting, Act No. 586/1992 Coll., on Income Tax, Act No. 235/2004 Coll., on Value Added Tax, Act No. 253/2008 Coll., on Selected Measures against Legitimisation of Proceeds of Crime and Financing of Terrorism (hereinafter referred to as “AML”).

Some of the personal data may be specified in accounting documents (in invoices or other documents). The following Acts: AML Act, Act on Accounting, Act on Income Tax, or Act on Value Added Tax, stipulate for the Company the obligation to keep such documents for a period of 10 years. If the Company is obliged by law to archive such documents, they are archived along with your personal data specified in a relevant document.

5.1.3 Personal Data Processing based on a Legitimate Interest

In case You are delayed in payment, You do not meet your liability, or we do not receive a payment from You at all, eventually if any other damage or loss is caused by You to us, we may process the personal data also based on a legitimate interest consisting in the recovery our receivables and/or determination, protection and exercise of the Company´s legal claims. We may keep your personal data for that purpose for a limitation period pursuant to the Act No. 89/2012 Coll., Civil Code.

The Company is entitled to process your e-mail address within the meaning of Section 7 (3) of the Act No. 480/2004 Coll., on Certain Information Society Services, to disseminate commercial messages concerning our services and products, in case you have not refused sending of such commercials.

5.1.4 Personal Data Processing based on a Your Consent

The Company processes your personal data generally in cases required by law, if the processing is necessary to perform a contract, or based on a legitimate interest of the Company. In extraordinary cases only, we process personal data based on your consent in compliance with the purpose and for the period specified in such a consent.

6. Third Parties We Disclose Personal Data to

When meeting its contractual liabilities and obligations, the Company uses professional and specialized services of other entities. If such contractors process the personal data provided by the Company, they are in a position of personal data processors and they process the personal data only within the instructions from the Company and are not entitled to use the data in any other manner.

This includes mainly:

  • Cooperating attorneys;
  • External providers of accounting and tax services;
  • External providers of IT system, computer network, and hardware administration services;
  • Cookies we process in case You visit our website; for more detailed information what types of Cookies we process and how we process them, please visit the Cookies section at our website [•]

We have concluded with the personal data processors mentioned in the previous paragraph the Agreements for Personal Data Processing which guarantee at least the same level of protection of your personal data as this Policy.

Within meeting of its statutory obligations the Company discloses your personal data to administrative bodies and authorities determined by the applicable legislation.

7. Personal Data Security

The Company has implemented and maintained the necessary appropriate technical and organizational measures, internal inspections, and information security procedures in compliance with due diligence concerning the users and their rights, corresponding to a possible imminent risk for data subjects. At the same time, the Company considers the state of the art to protect the personal data against any accidental loss, destruction, change, unauthorized publishing or access. Such measures may include, inter alia, mainly the adoption of reasonable steps to ensure the responsibility of employees who have access to sensitive data and documents, training of employees, regular backups, procedures for data restoration and incident management, software protection of devices in which the personal data is stored, etc.

The Company´s employees are obliged to keep confidentiality about all the facts concerning You, even after their employment is terminated. A signed declaration concerning the confidentiality obligation forms a part of the employe´s Employment Contract.

8. Your Rights to Personal Data

If You apply any of your rights pursuant to this Article 8 or in compliance with the applicable legislation, we will inform of the measure taken, of erasure of your personal data, or of the restriction of processing in compliance with your request, every recipient whom such data has been disclosed to pursuant to Article 6 hereof, if such notification is possible and/or does not require any unreasonable efforts.

If You want to apply these rights and/or obtain relevant information, You may contact us via e-mail sent to or in writing at the registered office address of the Company. 

If You apply your rights, we may ask You to provide us with some of the identification data You have provided to us. The provision of such data is necessary to verify whether the relevant requirement has been really sent by You. We will reply You within one month after receiving your request whereas we reserve a right to extend this period by two months.

8.1 Right to Access Personal Data

Pursuant to Article 15 of GDPR you have a right to access your personal data, which includes the right to obtain from the Company:

  • confirmation whether the Company processes your personal data;
  • information on the purposes of processing, categories of affected personal data, recipients whom the personal data has been or will be made available to, planned processing period, existence of a right to require from the Company a rectification or deletion of your personal data, restriction of processing, right to raise an objection against such processing, right to file a complaint at a supervisory authority, information concerning any and all the available data about personal data sources unless obtained from data subjects, facts about applied automated decision-making and profiling, information about suitable guarantees in case the personal data is transferred outside the EU,

as well as a copy of personal data if the rights and freedoms of third parties are not adversely affected.

In case of a repeated request the Company is entitled to charge a reasonable fee for a copy of personal data.

8.2 Right to Rectify Inaccurate Data

Pursuant to Article 16 of GDPR You have a right for rectification of inaccurate personal data the Company processes about You. A user is also obliged to announce any changes of his/her personal data and document such a change has been made. Furthermore, a user is obliged to provide the Company with collaboration if it is found out the personal data processed by the Company is not accurate. We will rectify the data without undue delay however with respect to the relevant technical possibilities.

8.3 Right to Erase Personal Data

Pursuant to Article 17 of GDPR you have a right to have your personal data erased if the Company does not prove any legitimate interests for processing of such data. The Company has set the mechanisms to ensure automatic anonymisation or erasure of personal data in case it is no more necessary for the purpose which it has been processed for.

8.4 Right to Restrict Processing

Pursuant to Article 18 of GDPR a data subject has a right to restrict processing until a suggestion is solved if a data subject denies the accuracy of personal data, reasons of its processing, or files an objection against its processing.

8.5 Right to Portability of Personal Data

Pursuant to Article 20 of GDPR You have a right to portability of your personal data You have provided to us - to a controller, in a structured, commonly used, and machine-readable format. You are also entitled to ask for transfer of this data to another controller.

In case the exercise of this right might adversely affect the rights and freedoms of third parties, your request may not be satisfied.  

8.6 Right to Raise an Objection against Personal Data Processing

Pursuant to Article 21 of GDPR You have a right to raise an objection against processing of your personal data by the Company.

In case the Company does not prove there is a serious legitimate reason for processing, prevailing over the interests or rights and freedoms of a data subject, the Company will terminate the processing based on such an objection without undue delay.

8.7 Right to Withdraw Your Consent to Personal Data Processing

If you gave the Company a consent to personal data processing, it is possible to withdraw it anytime. Revocation is necessary to be made by express, clear and certain indication of the data subject´s wishes, in writing to the registered office address of the Company or via e-mail sent to

8.8 Right to Apply to the Office for Personal Data Protection

You have a right to file a complaint concerning our processing of your personal data at the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Praha 7. Office´s website:

9. Updates of Privacy Policy

Please be informed we may amend or update this Privacy Policy. Any amendments hereto become effective after their publishing on the Company´s website.